WordPress Security 101

It seems like there’s a new data breach wreaking havoc on businesses and consumers alike every month. If the biggest and most well-funded organizations in the world are being compromised, it’s worth being prepared and ensuring that each WordPress site you operate is properly secure.

As a WordPress site owner, it’s imperative you do everything you can to make sure that your and your users’ data is as secure as possible. WordPress takes care of a lot of the job of securing your site for you but there are several things you can do to make sure your site more secure. This is especially true if you’re using your WordPress site as an eCommerce solution. You may not be storing credit cards on the site (never a good idea) but your customers’ names, addresses, phone numbers and more could be at risk.

In today’s post, we’re sharing part 1 in our series on practical tips for securing your WordPress site.

Passwords

This should go without saying but a strong password is essential for your WordPress admin users. Gone are the days of using a password that’s easy to remember, like a pets name or name of the street you grew up on. Brute force attacks and very sophisticated scripts have made using passwords like these impractical.

WordPress has taken a step in it’s latest versions to help site owners avoid making this mistake with the introduction of a built-in strong password generator that will suggest you use a long, complicated password. Choosing a password that’s complex will make your password practically impervious to brute-force hacking attempts.

We highly suggest using the password WordPress suggests. It’s also not wise to simply write down the password on a post it and stick it to your monitor. Instead, use a tool for managing all of your passwords in one secure location, like LastPass. That way, you won’t have to worry about remembering passwords and you’ll have the option to simply copy and paste your super long, super complicated password.

Staying Up-to-Date

This is perhaps the most important bit of security advice you can offer as a site owner. It is absolutely imperative that your WordPress core files, plugins and themes are updated to their latest versions. This is important for both the stability and security of WordPress. If you’re using a managed WordPress host, such as Pressable, WordPress core updates are handled for you. If, however, you’re using a non-managed platform, it’s important to keep your software up to date by using the WordPress update tool.

At Pressable, we manage several plugins for our customers: Jetpack, Akismet, VaultPress and (if you choose our WooCommerce option) the WooCommerce plugin. This doesn’t mean you necessarily have to use them, but we do automatically update these plugins to make sure you’re always running the latest version of the software.

All other plugins are up to you. It’s not uncommon to see users hold off on updating a plugin for a number of reasons. Sometimes they’re afraid the update will break something on their site. This is a valid and legitimate concern, however, it’s better to update the plugin and fix potential issues than to not update a plugin at all.

Whenever a new version of a plugin is released, a changelog is usually published along with it, outlining all changes that have been made to the plugin since the previous version was released. The changelog will make vulnerabilities that exist in the previous version of the plugin public knowledge. If a plugin isn’t updated, a window to your site is opened wide for hackers.

The same principal applies to themes. We often see users who’ve made changes to their theme hold off on theme updates for fear of losing their changes. This is legitimate concern as, if the theme was modified directly rather through a child theme, the changes most likely will be lost. The problem is that the entire site may be compromised by the outdated theme.

It’s never a good idea to modify your theme’s code directly. The use of a child theme is highly encouraged because it allows you to modify your theme at the code level without losing your changes from an update. You can learn more about child themes here.

These are just a few of the first steps you can take to secure your WordPress site. Look for part 2 of our security series in the coming weeks, where we’ll explore additional best practices and share how you can avoid the most common mistakes made in the name of WordPress security.